[cifs-protocol] RE: (More): Status: SRX080803600053: [MS-NLMP] raw
NTLMSSP tokens in GSS-API/SPNEGO
billwe at microsoft.com
Wed Nov 5 09:40:26 GMT 2008
Thank you Adam - I have added your comments to the change request.
MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
From: Adam Simpkins [mailto:simpkins at cisco.com]
Sent: Tuesday, November 04, 2008 1:15 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'
Subject: Re: (More): Status: SRX080803600053: [MS-NLMP] raw NTLMSSP tokens in GSS-API/SPNEGO
On Tue, Nov 04, 2008 at 02:57:00AM -0800, Bill Wesse wrote:
> Thank you very much for your considerations. I have filed a
> documentation change request against [MS-NLMP] concerning NTLMSSP
> InitialContextTokens (see 'Expected' below)..
Thanks, Bill. I do have one comment about some of your text below:
> Even though we are not claiming compliance with RFC4178, the interpretation of '3.2. Negotiation Procedure' is a point of interest concerning how we embed the NTLM NEGOTIATE MESSAGE MechToken (Netmon 3.2 trace extract below, from the attached spnego_ntlmssp.cap, frame 6.
I just want to clarify that the main issue here is non-compliance with
RFC 2743, not RFC 4178. There are two separate behaviors that need to
be addressed--the behavior without SPNEGO (raw_ntlmssp.cap and
gss_ntlmssp.cap) and the behavior with SPNEGO (spnego_raw_ntlmssp.cap
I think the non-SPNEGO behavior is the most important aspect to
document clearly, and this involves only compliance with RFC 2743, not
RFC 4178. The behavior of the Windows NTLM implementations of
GSS_Init_sec_context() and GSS_Accept_sec_context() are what is at
I think the documentation will be much more clear if it focuses mainly
on the differences from RFC 2743, and doesn't complicate the matter by
bringing in RFC 4178 unnecessarily.
If [MS-NLMP] is updated just to describe the Windows implementation
differences from RFC 2743 (without SPNEGO), then that should also
implicitly cover the SPNEGO descrepancies from RFC 4178. Since RFC
4718 says that SPNEGO implementations should just invoke
GSS_Init_sec_context() and GSS_Accept_sec_context() for the inner
mechanism, proper descriptions of the Windows implementations of these
functions would cover the SPNEGO behavior too. A minor note that
these behaviors also affect SPNEGO should be sufficient.
simpkins at cisco.com
More information about the cifs-protocol